Executive Summary

CVE-2026-27570 is a stored Cross-Site Scripting (XSS) vulnerability in the Discourse AI plugin, specifically in the Shared AI Conversation Onebox feature.

The vulnerability occurs because user-generated content, such as usernames and conversation titles, was rendered directly into HTML without proper sanitization or escaping. This allowed attackers to inject malicious scripts that would execute when the content was viewed.

The issue was fixed by modifying the code to apply proper HTML escaping (using ERB::Util.html_escape) to usernames and titles before rendering them in the HTML output, preventing script injection and execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with low privileges to inject malicious scripts into conversation titles or usernames that are then rendered unsanitized in HTML.

When these malicious scripts execute, they can compromise the confidentiality and integrity of information within the vulnerable Discourse system.

The impact on confidentiality and integrity is considered low, and there is no impact on availability.

Because the attack vector is network-based and requires low privileges, an attacker could exploit this remotely without user interaction.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability is a stored Cross-Site Scripting (XSS) issue in the Discourse AI plugin's Shared AI Conversation Onebox feature, caused by unescaped user input in usernames and conversation titles."}, {'type': 'paragraph', 'content': 'Detection involves checking if your Discourse instance is running a vulnerable version prior to 2026.1.2, 2026.2.1, or 2026.3.0-latest.1, and if the Shared AI Conversation Onebox feature renders user-generated content without proper HTML escaping.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves stored malicious scripts in conversation titles or usernames, you can detect it by searching your database or logs for suspicious HTML or JavaScript tags in these fields.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation or presence of malicious content include:'}, {'type': 'list_item', 'content': 'Query the database for conversation titles or usernames containing suspicious tags such as <script>, <img>, or event handlers like onerror.'}, {'type': 'list_item', 'content': "Example SQL command to find suspicious titles: SELECT id, title FROM topics WHERE title LIKE '%<script>%';"}, {'type': 'list_item', 'content': "Example SQL command to find suspicious usernames: SELECT id, username FROM users WHERE username LIKE '%<img%onerror=%';"}, {'type': 'paragraph', 'content': 'Additionally, review rendered HTML output of the Shared AI Conversation Onebox for unescaped user input that could indicate the vulnerability is present.'}] [1, 2, 3, 4]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade your Discourse installation to one of the patched versions: 2026.1.2, 2026.2.1, or 2026.3.0-latest.1, which include fixes that properly escape user input in the Shared AI Conversation Onebox feature.

If upgrading immediately is not possible, a recommended workaround is to tighten access by modifying the site setting `ai_bot_public_sharing_allowed_groups` to restrict which user groups can share AI conversations publicly.

This limits exposure of the vulnerability by reducing the number of users who can inject or view potentially malicious content.

In summary, immediate steps are:

• Upgrade Discourse to version 2026.1.2, 2026.2.1, or 2026.3.0-latest.1.
• Restrict the `ai_bot_public_sharing_allowed_groups` site setting to limit public sharing.

Useful 0 Not Useful 0